Deployment of Cisco ISE version 1.2.1.198 distribution problem

Similar Questions

• Authentication (Windows Server 2013) AD Cisco ISE problem

  Background:

  Has deployed two Cisco ISE 1.1.3. ISE will be used to authenticate users wireless access admin WLC and switches. Database backend is Microsoft running on Windows Server 2012 AD. Existing Cisco ACS 4.2 still running and authenticate users. There are two Cisco WLCs version 7.2.111.3.

  Wireless users authenticates to AD, through works of GBA 4.2. Access admin WLC and switches to the announcement through ISE works. Authentication with PEAP-MSCHAPv2 access and admin PAP/ASCII wireless.

  Problem:

  Wireless users cannot authenticate to the announcement through ISE. This is the error message '11051 RADIUS packet contains invalid state attribute' & '24444 Active Directory failed because of an error that is not specified in the ISE'.

  

  Conducted a detailed test of the AD of the ISE. The test was a success and the result seems fine except for the below:

  xxdc01.XX.com (10.21.3.1)

  Ping: 0 Mins Ago

  Status: down

  xxdc02.XX.com (10.21.3.2)

  Ping: 0 Mins Ago

  Status: down

  xxdc01.XX.com

  Last success: Thu Jan 1 10:00 1970

  March 11 failure: read 11:18:04 2013

  Success: 0

  Chess: 11006

  xxdc02.XX.com

  Last success: Fri Mar 11 09:43:31 2013

  March 11 failure: read 11:18:04 2013

  Success: 25

  Chess: 11006

  Domain controller: xxdc02.xx.com:389

  Domain controller type: unknown functional level DC: 5

  Domain name: xx.COM

  IsGlobalCatalogReady: TRUE

  DomainFunctionality: 2 = (DS_BEHAVIOR_WIN2003)

  ForestFunctionality: 2 = (DS_BEHAVIOR_WIN2003)

  Action taken:

  Log Cisco ISE and WLC by using the credentials of the AD. This excludes the connection AD, clock and AAA shared secret as the problem.

  (2) wireless authentication tested using EAP-FAST, but same problem occurs.

  (3) detailed error message shows below. This excludes any authentication and authorization policies. Even before hitting the authentication policy, the AD search fails.

  12304 extract EAP-response containing PEAP stimulus / response

  11808 extracted EAP-response containing EAP - MSCHAP VERSION challenge response to the internal method and accepting of EAP - MSCHAP VERSION such as negotiated

  Evaluate the politics of identity

  15006 set default mapping rule

  15013 selected identity Store - AD1

  24430 Authenticating user in Active Directory

  24444 active Directory operation failed because of an error that is not specified in the ISE

  (4) enabled the registration of debugging AD and had a look at the logging. Nothing significant, and no clue about the problem.

  (5) wireless tested on different mobile phones with the same error and laptos

  (6) delete and add new customer/features of AAA Cisco ISE and WLC

  (7) ISE services restarted

  (8) join domain on Cisco ISE

  (9) notes of verified version of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Find anything related to this problem.

  10) there are two ISE and two deployed WLC. Tested a different combination of ISE1 to WLC1, ISE1 to WLC2, etc. This excludes a hardware problem of WLC.

  Other possibilities/action:

  1) test it on another version WLC. Will have to wait for approval of the failure to upgrade the WLC software.

  (2) incompatibility between Cisco ISE and AD running on Microsoft Windows Server 2012

  Did he experienced something similar to have ideas on why what is happening?

  Thank you.

  Update:

  (1) built an another Cisco ISE 1.1.3 sever in another data center that uses the same domain but other domain controller. Thai domain controller running Windows Server 2008. This work and successful authentication.

  (2) my colleague tested in a lab environment Cisco ISE 1.1.2 with Windows Server 2012. He has had the same problem as described.

  This leads me to think that there is a compatibility issue of Cisco ISE with Windows Server 2012.

  
  

  
  

  Yes, it seems that 1.1.3 doesn't support Server 2012 as of yet.

  External identity Source OS/Version

  Microsoft Windows Active Directory 2003 R2 32-bit and 64-bit

  Active Directory Microsoft Windows 2008 32-bit and 64-bit

  Microsoft Windows Active Directory 2008 R2 64-bit only

  Microsoft Windows Active Directory 2003 32-bit only

  http://www.Cisco.com/en/us/docs/security/ISE/1.1/compatibility/ise_sdt.PDF

• Cisco ISE comments settings problem

  Hi all

  I hope that it will be a miracle.

  I'm unable to remove the San Jose of positions in the settings of comments with the following error ' cannot delete locations: San Jose: location referenced by another configuration. I have attached the parameters and error of reference.

  I checked all the settings in the comments tab and deleted any reference to San Jose, except if it is referenced in the configuration wizard which I wasn't involved in where else this could be referenced and how to remove it please? It is only cosmetic, but to create guest accounts it is frustrating, as shows the San Jose location when they are in fact located in the United Kingdom. I'm under Cisco ISE version 1.3.

  Thank you

  Mark

  It's a bug

  CSCus25245
  Description
  Symptom:
  In point 1.3 of the ISE, under settings - > location and SSID, we cannot delete the default location of San Jose.

  We get the error that it is referenced by another object.

  Conditions:
  ISE 1.3 - seek to remove the default location of San Jose.

• Cisco ISE profiling - Split-Corporate/guest access

  Hi all

  I currently deploying a Cisco ISE for my wireless network and I would like to divide my WLAN in two different "authorisation profile": comments and Corporate.

  For now, I use my active Directory to authenticate users and profiling to authorize the device with the host name. I would like to sort by domain name with DHCP probe but I can't because there is always an answer of DHCP message with the domain given by the DHCP server, you have a solution to separate unit with domain name or other attributes?

  Thanks in advance for your answer!

  You can create different authorization profile based on the identity group they belong to, therefore, make two profiles based on two membership group (guests / corporate AD users) and assign them different access. consult the ISE 1.2 config guide.

• Cisco ISE CLI and GUI password expires

  I got Cisco ISE version 1.1 I am facing a problem with the password CLI and GUI, it expires and I can not connect, I do password reset using the DVD of the ISE.

  I naviguer navigate to the CLI of ISE, then perform the following commands:

  conf t

  password policy

  no password-expiration-enable

  and reset the password of admin GUI, using the command:

  # reset-passwd ise admin request

  from the interface of ISE I delete option for the devil admin account after 45 days.

  but after 60 days, the password expire again.

  kindly advise what to check for this question expires.

  Hello Mostafa,

  Yes, the last answer was more towards past-mgmt GUI because in the majority of cases, it happens with the administrator account on the user interface. I need to know if you've restarted the ISE after disabling the expiration of the CLI, because what I read a few weeks in an internal fault which password policy settings are not preserved on cli after restart so just to check could please check current on CLI w settings / help to see the race. in the password policy.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Cisco ISE Patch 1.3 6 procedure

  Hi team,

  Please help me with the installation of fix on Cisco ISE version 1.3.0.876. I intend to patch our ISE with HA Set - up for patch 6. There also a way to upgrade? I read that you must install the hotfix on the primary node, then the secondary node automatically update to patch 6. Which command will work for me to check that the secondary image is upgraded to patch 6. Also, how much time it take to restart the application.

  Thanks in advance!

  Kind regards

  Mady

  Hi Mady-

  You can perform the installation, restore and check the status of the patch directly from the graphical interface on the head node to Admin. You can reference to ISE 1.3 Administrator's Guide:

  Install the Patch:

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_0101.html#ID202

  Check the status of the patch:

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_0101.html#ID325

  I hope this helps even if end :)

  Thank you for evaluating useful messages!

• Cisco ISE to jailbroken or android block specific versions

  We have Cisco ISE deployed with advanced subscription license. Is it possible to block jailbroken IOS devices and devices with the old android OS version (or root) to join the wireless network.

  You can only do that with ISE. You will need to purchase a supported MDM solution (Airwatch, MobileIron, Extend360, etc.) and integrate with ISE. The MDM can then be queried by ISE and check for things like rooted device, PIN, encryption, etc.

  Thank you for evaluating useful messages!

• Cisco ISE comments Portal - DNS problem - External area

  Hello

  I have a client that has the following sceanrio:

  In a wireless deployment and deployment Cisco ISE 1.1.3 with CWA, when the wireless client receives the URL ISE redictect (URL to access the portal of ISE comments), this URL is based on the ISE DNS name, not on its IP address. Thus, the PC cannot solve this problem by DNS name because there is no DNS in the external area (for the guets) or by using the addresses of servers DNS ISP provided by the DHCP server, and therefore it cannot access the portal comments at all;

  I know that in an attempt to manually code the IP address - it doesn't (IE in the authorization profile CWA, the equivalent URL redirection via the pair av CISCO as follows:)

  Cisco-AV-Paire = redirect url =https://10.10.10.10:8443/guestportal/gateway? sessionId = sessionIdValue & action = cwa,)

  given that the sessionIdValue variable is not replaced by its real value when sending to the wireless client)

  My question is: this question has been addressed in version 1.2 of Cisco of ISE - has anyone tried it if has been processed? If not in Cisco 1.2 - does anyone know iof this feature will become available?

  Thanks in advance for your answers.

  Robert C.

  Robert,

  Manual assignment has been made available in version 1.2 of the ISE.

  M.

  

• Cisco ISE

  Hi all

  I intend to implement cisco ISE in my network. I have 1000 endpoints and some mobile devices. I plan to use approach distributed and all licenses possible.

  It is: should I buy licenses for all nodes. For example 1000 for the head node, 1000 for high school, 1000 for surveillance and so forth?

  Or should I buy license only 1000 (I mean 1000 base + 1000 advances + 100 mobile) ones and apply them to all nodes?

  Concerning

  Max

  Hi Max.

  ISE is authorized by the deployment. So if you have a distributed with us deployment will tell ISE 10 nodes or servers you will always only the node main Administrator license.

  Now, if you plan to have two deployments (say a deployment for the EMEA region and the other for APAC) then you would need licenses for both deployments (you allow the node primary admin in each deployment).

  I hope this makes sense :)

  Thank you for evaluating useful messages!

• Cisco ISE (Identity Services Engine) - seeds SGA device?

  Hello

  We have a LAB with Cisco ISE, certificates and list DACL. Everything works fine with the 1.1.1 version but now we want to use the functionality of CMS - SGT instead of the ACL and we found that we need seed for this device and the only device that takes in charge the Nexus 7000 is. Is this true? What is the only way that we can use LMS - SGT? Are there plans that any other device will be used to seed device?

  BR, Marko

  The device of seed set as first device that communicates with the ISE. It must be a link.

  http://www.Cisco.com/en/us/docs/solutions/enterprise/security/TrustSec_2.0/trustsec_2.0_dig.PDF

  In addition the Nexus needs a license of Advanced Services installed in order to support the Trustsec.

  I can't comment on any future plans.

• Cisco ISE 1.4 comments account Backup

  I currently deploy portal free registry for comments, I now of questions you want to certify, I just want to know to anyone facing the same problem as me.

  (1) except REST API any way to export the guest account

  (2) backup of the Appendix will include the guest account or not

  (3) what deployment node 2, guest account will sync on both nodes?

  Sorry for the bad English.

  Kind regards

  Alan

  1.] I don't think - I can see a well on the same feature request

  CSCty82007    ENH: Export invited accounts set up in ISE

  2.] Yes - backup should have all guest accounts.

  [3.] the Cisco ISE guest services use distributed the Cisco ISE management system to allow several Cisco ISE nodes to work in a deployment. Configurations performed on the head node is replicated to the secondary nodes.

  ~ Jousset

• Press release cisco ISE 2.0

  Can someone please recommend a good book on ISE 2.0... again 2.0

  IMHO there is no good book on ISE 2.0 because there is no book of ISE 2.0 at all.

  IM aware of only three books on ISE:

  • CiscoPress: Unified Cisco ISE BYOD and blocked access
  • CiscoPress: CCNP security SISAS 300-208 official Cert Guide
  • Syngress: Practical deployment of Cisco Identity Services Engine (ISE): concrete examples of deployments AAA

  I did the first and also know each other. They n 't ISE 2.0 coverage. And looking at the table of contents of the third, it looks no better.

  Not a book at all, but the best documentation for ISE is ISE product page design guides: http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

• Cisco ISE 1.3 disable "Identity Resolve" step?

  Currently, I am working for a client with a Cisco ISE 1.3 deployment.

  The Cisco access point are currently authenticated by MAB, the customer wants to improve that I proposed to implement EAP-FAST speed of the MAB for the AP for a quick and easy solution.

  I work in the test and production environment, but I was cycling through the authentication process and found something strange.

  I created a rule that if the Tunnel network protocol is EAP-FAST are authenticated by internal users.

  It works very well, the ISE recognizes the flow and internal users through authenticatie.

  15041 assessment political identity
  15048 questioned PIP - Network Access.EapAuthentication
  15048 questioned PIP - Network Access.EapTunnel
  15004 Matched rule - EAP-FAST
  15013 selected identity Source - internal users
  24210 Looking user in IDStore of internal users - >
  24212 found user in internal users IDStore
  Authentication 22037 spent

  On the way he also decided to search for the user in Active Directory.

  Given that the user has not been created in Active Directory, that it does not.

  Looking 24432 user in Active Directory - >
  Identity resolution 24325 - >
  Search 24313 of corresponding accounts at the junction - >
  24318 no corresponding account found in the forest - >
  24322 identity resolution detected no corresponding case
  Failure of the 24352 - ERROR_NO_SUCH_USER identity resolution
  24412 not found user in Active Directory - >
  15048 questioned PIP - >. ExternalGroups
  15048 questioned PIP - Network Access.EapTunnel
  15004 Matched rule - AP_EAPFAST
  15016 selected the authorization - AP_Lan profile
  11002 returned access RADIUS acceptance

  So the authentication and authorization is successful but he try's to resolve the user in active directory.

  I checked the authentication for MAB process, and here I see the same error.

  The MAC address of the device used to MAB also is added to the ISE, then authentication through internal users, authentication and authorization is successful, but ISE wants to solve the (MAC address of the device) user in Active Directory.

  We also see this step for the flow of EAP - TLS, and in this case the identity stage via resolution is successful.

  Is it possible that I can disable the resolution of identity through AD when the internal user group? (or in the world?)

  I did some research and found this (search for LDAP users)

  http://www.Cisco.com/en/us/docs/security/ISE/1.0/user_guide/ise10_man_id...

  When I look at our deployment, it is nothing configured under LDAP.

  If you have rules in your authorization rules that use ad groups that are in front of your MAB or the EAP-FAST rules, ISE will do a search to see if it needs to match this rule. Put your MAB and EAP-FAST rules about AD membership rules, and it won't do the research.

• Access VPN ASA and cisco ISE Admin

  Hello

  Currently I'm deployment anyconnect VPN Solution for my client on ASA 9.2 (3). We use the ISE 1.3 to authenticate remote users.

  In the policy stipulates the conditions, I put the condition as below.

  Policy name: Anyconnect

  Condition: DEVICE: Device Type Device Type #All Device Types #Dial - in access EQUALS AND
  RADIUS: NAS-Port-Type is equal to virtual

  I'm authenticating users against the AD.

  I am also restrict users based on group membership in authorization policies by using the OU attributes.

  This works as expected for remote users.

  We also use the ISE to authenticate administrators to connect to the firewall. Now what happens is, Cisco ASA valid also against policy, administrators and their default name Anyconnect.

  Now the question is, how to set up different political requirement for access network admin and users the same Firewall VPN.

  Any suggestions on this would be a great help.

  See you soon,.

  Sri

  You can get some ideas from this article of mine:

  http://ltlnetworker.WordPress.com/2014/08/31/using-Cisco-ISE-as-a-generic-RADIUS-server/

• Cisco ISE 1.3

  Guys good day.

  I try to configure the new 1.3 ISE of Cisco.

  I use a version of the 7.4.121 of Vwlc software.

  My problem is that when a client authenticates to the ISE server, endpoint is automatically added to the store of identity of internal endpoints.

  For this reason, if the customer comes off the network and try to join again, the client is located in the internal endpoints and is denied access to redirect.

  Is this a bug or is at - it a setting that I can disable?

  you will find ISE Version 1.3 Hotspot Configuration Example

  http://www.Cisco.com/c/en/us/support/docs/security/identity-services-Eng...